Non-vulnerable Web Services Nuno Antunes nmsa@dei.uc.pt Advisor: - - PowerPoint PPT Presentation
Methodologies and Tools for the Development of Non-vulnerable Web Services Nuno Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira 2009/2010 Ph.D. Research Proposal Doctoral Program in Science and Information Technology Department of
Ph.D. Research Proposal Doctoral Program in Science and Information Technology Department of Informatics Engineering University of Coimbra
2009/2010
Nuno Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira
2
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Contextualization Motivation Research Objectives and Approach Current Work and Preliminary Results Work Plan Conclusions
3
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
4
Web Services security threats
Web Services are widely exposed to attacks Hackers are moving their focus to applications’ code Traditional security mechanisms cannot mitigate
these attacks
Vulnerabilities like SQL Injection and XPath Injection
are particularly relevant
Developers must
Apply best coding practices Security testing!
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
5
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Developers often disregard security concerns
Focus on satisfying costumer’s requirements Time-to-market constraints limit an in-depth search for
security vulnerabilities
Not specialized on security
6
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Automated tools are very important to:
Automatically Detect vulnerabilities Automatically Mitigate vulnerabilities
Help developers
Including the ones not specialized in security
Increase development productivity
7
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Benchmarking Improving Vulnerability Detection
Vulnerability Mitigation
Evaluate the existing methodologies
Develop a benchmarking suite to assess and compare
vulnerability detection and mitigation tools
Research and propose improved techniques
8
Evaluate and compare existing solutions to
Guide the improvement of methodologies Existing evaluations have limited value Benchmarking approaches will need:
Workload Procedures and Rules Measures
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
9
Goal: achieve higher coverage and lower
Tools that don’t need access to services’ code
Can be used by web services’ consumers
Penetration testing tools:
Larger and more comprehensive workloads More complete and complex attackloads Evaluate thoroughly service’s responses
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
10
Tools that need access to services’ code
Usually present higher coverage rates Important for developers
Static code analysis
Goal: reduce false positives Take advantage of web services’ well defined interface Analyze relation between inputs and vulnerabilities Verify if the inputs of a WS are pre-processed using
vulnerability prevention mechanisms
Combination of different techniques
Penetration testing with runtime anomaly detection
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
11
Modify service’s code to remove
Without modifying the functional behavior
Introduce attack detection capabilities:
Can be used when applications’ code is unavailable Overhead and false positives are prejudicial
Very important because:
Developers not specialized in security are less capable
to fix vulnerabilities
Vulnerable code patterns are frequently repeated Can save time and costs in repetitive corrections
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
12
Apply leading commercial security scanners in
300 Web Services tested, randomly selected 4 Scanners used (including two versions of a brand)
Goals:
What is the effectiveness of existing tools for
vulnerability detection?
Can programmers rely on these tools?
What are the most common types of vulnerabilities?
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
13
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Vulnerabilities distributed per type. SQL Injection vulnerabilities without False Positives
False positives analysis in the next slide
14
Detect SQL Injection Vuln. in Web Services:
More representative workload More complete attackload Analyze responses to improve
coverage and reduce false positives
Achieved better results
However, the efficiency is
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
15
Detect Command Injection V. in Web Services
Implemented for SQL/XPath Inj., but easily extendable
Combine the analysis of services responses
Vulnerabilities are identified by comparing the
structure of SQL/XPath commands executed in the presence of attacks to the ones previously learned in the absence of attacks
Much better results than the existing tools
Discussed together with benchmark results
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
16
Proposed an approach to benchmark the
Procedures and measures were specified
A concrete benchmark was implemented
Targeting tools able to detect SQL Injection A benchmarking example was conducted
Results show that the benchmark can be used
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
17
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Results for CIVS-WS and static analysis Results for Penetration Testing Benchmarked Tools Ranking
Tool % TP % FP CIVS 79% 0% SA1 55% 7% SA2 100% 36% SA3 14% 67% Tool % TP % FP VS1 32% 54% VS2 24% 61% VS3 2% 0% VS4 24% 43%
18
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
19
Journals with high impact factor:
IEEE Trans. on Software Engineering (TSE) IEEE Trans. on Dependable and Secure Comp. (TDSC) International Journal of Web Services Research (JWSR) IEEE Trans. on Services Computing (TSC)
First tier conferences:
IEEE/IFIP Dependable Systems and Networks (DSN) IEEE International Conference on Web Services (ICWS) IEEE Services Computing Conference (SCC) …
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
20
The main goal is to provide tools that help to
Many Web Services present security vulnerabilities
Its important to improve automated tools
Vulnerability detection Vulnerability mitigation
We also need to benchmark these tools This work is important for web services’
… and also has great scientific potential!
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
21
Nuno Antunes Department of Informatics Engineering University of Coimbra
nmsa@dei.uc.pt
1.
Antunes, N. and Vieira, M., “Benchmarking Vulnerability Detection Tools for Web Services”, IEEE International Conference on Web Services (ICWS 2010), Miami, Florida, USA, July 2010. [Acceptance Rate: 17.6%, Best Paper Award]
2.
Antunes, N. and Vieira, M., “Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services”, IEEE 15th Pacific Rim International Symposium on Dependable Computing (PRDC’09), Shanghai, China, November 2009. [Acceptance Rate: 30%]
3.
Antunes, N. and Laranjeiro, N. and Vieira, M. and Madeira, H., “Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services”, IEEE International Conference on Services Computing (SCC 2009), Bangalore, India, September 2009. [Acceptance Rate: 18.5%]
4.
Antunes, N. and Vieira, M., “Detecting SQL Injection Vulnerabilities in Web Services”, Fourth Latin-American Symposium on Dependable Computing (LADC 2009), João Pessoa, Paraíba, Brazil, September 2009. [Acceptance Rate: 39%]
5.
Vieira, M. and Antunes, N. and Madeira, H., “Using Web Security Scanners to Detect Vulnerabilities in Web Services”, 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2009), Estoril, Lisbon, Portugal, June 2009. [Acceptance Rate: 24.2%]
Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010